# Investigate Flash Loan Txn

#### Summary

Flash Loan Transactions are a very common form of exploit that occur on the blockchain. Here we will investigate an actual on-chain incident where funds were stolen and moved to a rogue wallet. 

#### Blockscope Tools we will use

| Action                                                      | Tool Used                      |
| ----------------------------------------------------------- | ------------------------------ |
| Decode the initial Transaction                              | Blockscope Transaction Decoder |
| Trace the stolen funds                                      | Blockscope Token Tracer        |
| Check Wallet for balance                                    | Blockscope Wallet Profiler     |
| Find Associated Wallets                                     | Blockscope Wallet Profiler     |
| Set up real-time monitoring wallet holding the stolen funds | Blockscope Watchtower          |

#### Customers Types

The following customer types would be interested in conducting on-chain investigations similar to the one we are about to conduct.

* Institutions
* Government Agencies 
* Regulators
* Forensics Teams

#### Investigation

1\) Investigation Entry point, search blockchain transaction

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/wvycgz9TGmQXcsTaUYvM/Screenshot%202023-11-08%20at%206.17.49%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

2\) We can see, blockscope was able to decode most of the on-chain data

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/QwAESMzidCzwOkZBm9wX/Screenshot%202023-11-08%20at%206.19.35%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

3\) Let's look at the top addresses, protocols and tokens involved in this transaction

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/xbbuN4XZ6LqBJbf0l23C/Screenshot%202023-11-08%20at%206.26.05%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

4\) First red flag that goes off, seeing the Self Destruct function.

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/J2zKDLFXA9S2nuwAhsV8/Screenshot%202023-11-08%20at%206.26.49%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

5\) We can see all the known(green) accounts and unknown(red/orange) accounts. This high level view tells us what protocols and tokens were used

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/xmeFF8hsrYJJ5OssbNzy/Screenshot%202023-11-08%20at%206.28.37%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

6\)  Filtering out the interactions to just show us transfers of ERC-20 and Native tokens lets us trace the stolen funds to 1 particular account. We can now focus on tracing the funds in and out of that account using the Tracer Tool

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/UNkSBcq1cg3Wi4opJE84/Screenshot%202023-11-08%20at%206.30.15%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

7\) We can see the 65 eth that moved into this account and its subsequent movement to Kyberswap and another contract

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/xXJVtsWysn8HtlqkKiD5/Screenshot%202023-11-08%20at%206.31.33%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

8\) Further analysis lets us see that this user is a repeat exploiter and has exploited and gained 962 ETH in the past, worth over 2M USD today

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/Q7gejRv8MtS4dbd44Sgy/Screenshot%202023-11-08%20at%206.33.16%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

9\) Using Wallet Profiler, we check the wallet’s holdings and see it still had the 2M worth of Ether

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/bshngrYU43ez99MrZdaD/Screenshot%202023-11-08%20at%206.38.09%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

10\) Looking at the very first transaction, the user supplied funds here via an account that used tornado cash on Feb 14, 2020. This was prob an attempt at keeping their identity hidden by using funds that went through tornado cash.

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/GOBMInZ7HTCXdto4Q0FS/Screenshot%202023-11-08%20at%206.39.05%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

11\) With a few clicks we’ve set up monitoring using Blockscope's Watchtower tool

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/bD4xqGalxw0vqfreCE80/Screenshot%202023-11-08%20at%206.40.42%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>

12\) We will be notified in real-time for any new activity from this wallet.

<figure><img src="https://content.gitbook.com/content/u6j6hcNOyPOKLizRHHwG/blobs/o3SeVL5vMeX2U99I7K70/Screenshot%202023-11-08%20at%206.41.28%E2%80%AFPM.png" alt=""><figcaption></figcaption></figure>